场景
使用 kubeadm 安装 kubernetes 集默认的证书有效期只有一年时间,所以需要考虑证书升级的问题,官方推荐的是直接升级集群的版本,这样的话就可以初始化证书的有效期了,但是kubeadm本身支持证书更新延续一年的方法,做之前需要对一些数据进行备份,方便后面回滚
说明 上面的列表中没有包含 kubelet.conf 因为 kubeadm 将 kubelet 配置为自动更新证书。
查看证书到期时间
由于这个环境证书我之前更新过,所以显示的时间并没有过期,但是不影响后面的操作
`[root@dm01 ~]# kubeadm alpha certs check-expiration`
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Feb 04, 2022 02:36 UTC 318d no
apiserver Feb 04, 2022 02:36 UTC 318d ca no
apiserver-etcd-client Feb 04, 2022 02:36 UTC 318d etcd-ca no
apiserver-kubelet-client Feb 04, 2022 02:36 UTC 318d ca no
controller-manager.conf Feb 04, 2022 02:36 UTC 318d no
etcd-healthcheck-client Feb 04, 2022 02:36 UTC 318d etcd-ca no
etcd-peer Feb 04, 2022 02:36 UTC 318d etcd-ca no
etcd-server Feb 04, 2022 02:36 UTC 318d etcd-ca no
front-proxy-client Feb 04, 2022 02:36 UTC 318d front-proxy-ca no
scheduler.conf Feb 04, 2022 02:36 UTC 318d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Sep 23, 2030 04:11 UTC 9y no
etcd-ca Sep 23, 2030 04:11 UTC 9y no
front-proxy-ca Sep 23, 2030 04:11 UTC 9y no
前期备份工作
备份证书文件:
`# mkdir /etc/kubernetes.bak`
`# cp -r /etc/kubernetes/pki/ /etc/kubernetes.bak`
`# cp /etc/kubernetes/*.conf /etc/kubernetes.bak`
备份etcd数据
`# cp -r /var/lib/etcd /var/lib/etcd.bak`
获取到集群的kubeadm的配置信息
`# kubeadm config view >kubeadm.yaml `
执行证书更新的命令
`[root@dm01 ~]# kubeadm alpha certs renew all --config=kubeadm.yaml`
W0322 13:56:47.613673 5677 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
查看证书日期
`[root@dm01 ~]# kubeadm alpha certs check-expiration`
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Mar 22, 2022 05:56 UTC 364d no
apiserver Mar 22, 2022 05:56 UTC 364d ca no
apiserver-etcd-client Mar 22, 2022 05:56 UTC 364d etcd-ca no
apiserver-kubelet-client Mar 22, 2022 05:56 UTC 364d ca no
controller-manager.conf Mar 22, 2022 05:56 UTC 364d no
etcd-healthcheck-client Mar 22, 2022 05:56 UTC 364d etcd-ca no
etcd-peer Mar 22, 2022 05:56 UTC 364d etcd-ca no
etcd-server Mar 22, 2022 05:56 UTC 364d etcd-ca no
front-proxy-client Mar 22, 2022 05:56 UTC 364d front-proxy-ca no
scheduler.conf Mar 22, 2022 05:56 UTC 364d no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Sep 23, 2030 04:11 UTC 9y no
etcd-ca Sep 23, 2030 04:11 UTC 9y no
front-proxy-ca Sep 23, 2030 04:11 UTC 9y no
注可以看到证书时间进行了改变,变为了当前时间延续一年的有效期
更新kubeconfig文件
`[root@dm01 ~]# kubeadm init phase kubeconfig all --config kubeadm.yaml`
W0322 13:57:22.000723 6057 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/admin.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Using existing kubeconfig file: "/etc/kubernetes/scheduler.conf"
生成的新的config文件覆盖老的
`# mv $HOME/.kube/config $HOME/.kube/config.old`
`# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config`
`# chown $(id -u):$(id -g) $HOME/.kube/config`
重启kubeadpi、kube-controller、kube-scheduler、etcd四个容器,直接通过mv走这四个点配置文件就可以解决
`# mv manifests manifests.bak`
`# docker ps | grep -I api` //等待容器停止后然后在mv回来就可以了
`# mv manifests.bak manifests`
可以查看apiserver的证书的有效期来验证是否更新成功,可以看到已经是一年后的时间
`[root@dm01 /etc/kubernetes]# echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate`
notAfter=Mar 22 05:56:48 2022 GMT